Recent Meet-in-the-Middle Attacks on Block Ciphersweb.spms.ntu.edu.sg/~ask/2012/slides_03_Takanori_Isobe.pdf · Background Meet-in-the-Middle（MitM）attack was proposed by Diffie

Recent Meet-in-the-Middle

Attacks on Block Ciphers

Takanori Isobe

Sony Corporation

(Joint work with Kyoji Shibutani)

ASK 2012

Nagoya, Japan

Outline

1. Meet-in-the-Middle (MitM) attacks on Block ciphers

2. MitM on Block cipher having simple KSF

XTEA, LED, Piccolo (@ ACISP 2012 w/ K. Shibutani)

GOST (@ FSE 2011 and JoC)

3. MitM on Block cipher having complex KSF

All subkeys recovery attack (@ SAC 2012 w/ K. Shibutani)

KATAN-32/48/64, SHACAL-2, CAST-128

4. Conclusion

Sony Corporation

1.Meet-in-the-Middle Attack on Block Cipher

Sony Corporation

Background

Meet-in-the-Middle（MitM）attack was proposed by Diffie and Hellman (1977)

Applied to Block Cipher such as Triple DES.

It was extended to Preimage Attack on hash function by Aoki and Sasaki (2008) [AS08]

Develop several novel techniques: Splice and Cut, Initial structure, partial matching [AS08, SA09, KRS12]

Full Preimage Attacks on MD5 and Tiger [SA09, GLRW10]

Best Preimage Attacks on SHA-1 and SHA-2 [KK12, KRS12]

Convert it into Collision attack : Pseudo collision on SHA-2 [LIS12]

Collision Attack on Skein [K’12]

Recently, MitM is applied to Block cipher with several techniques.Single Key Attacks on full KTANTAN and GOST [BR09, I’11]

Best Attacks on AES, IDEA, XTEA, LED and Piccolo [BKR11, KLR11, IS12 ]

Sony Corporation

Meet-in-the-Middle Attack on Block Cipher [BR09]

2l -s2l1

Surviving Key

Space

Master KeySpace

MitMStage

Key TestingStage

Correct key

Sony Corporation

@ MITM stage : Filter out a part of wrong keys by using MitM techniques@ Key testing stage : Find the correct key in the brute force manner.

Consists of two stages : MitM stage ⇒ Key testing stage

l : key size in bit

s : matching state in bit

MitM Stage

Plain text Block cipher Cipher text

master key

l

n

Sony Corporation

Preparation

Divide Block cipher into two sub function E1 and E2

# Block cipher : l bit master key and n bit block size

MitM Stage

Sony Corporation

Preparation


Plain text Cipher text

l

n

E1 E2

master key


MitM Stage

Plain text Cipher textn

Sony Corporation

Preparation


Construct 3-subset of master key A0, A1, and A2

E1 E2

K1 K2

A0A1 A2

K1: sub set of key bits used in E1.K2: sub set of key bits used in E2.

A0 = K1∩K2A1 = K1/(K1∩K2)A2 = K2/(K1∩K2)

K1 = A0, A1 K2 = A0, A2


MitM Stage

1. Guess the value of A02. Compute v for all value of A1 and make a table (A1, v ) pairs3. Compute u for all value of A24. If v = u, then regard (A0, A1, A2) as key candidates 5. Repeat 2-4 with all value of A0 (2|A0|times)

Sony Corporation

Plain text Cipher textn

E1 E2

K1 = A0, A1 K2 = A0, A2

K1 K2

A0A1 A2

l : key size in bit s : matching state size

# of surviving key candidates :(2|A1|+|A2| / 2s)×2|A0| = 2l -s

v u

Key Testing StageTest surviving keys in brute force manner by using additional data.

2l -s2l1

Surviving Key

Space

Master KeySpace

MitMStage

Key TestingStage

Correct key

Sony Corporation

l : key size in bit s : matching state size

Evaluation

2l -b2l1

Surviving Key

Space

Master KeySpace

MitMStage

Key TestingStage

Correct key

Complexity = 2|A0|(2|A1|+2|A2|) + (2l-s +2l-2s+…) Data = max ( 1 , l/b )

The Point of the attack : Find independent sets ofmaster key bit such as A1 and A2

Sony Corporation

K1 K2

A0A1 A2

Advanced techniques

internal use only

Partial Matching [AS08]

internal use only

E1 E2

Match a part of state instead of full state

Pn

C

Advantage: => allow to omit key bits around matching state

Disadvantage: => decrease rate of rejected keys @matching state

K1 K2

K1 K2

A0A1 A2

Splice and Cut [AS08]

E2

Sony Corporation

E3

regard the first and last round as contiguous rounds

CPn

str

Advantage: => choose chucks freely similar to hash functions

Disadvantage: => increase required data complexity

K1 K2 K1

E1

Encryption/Decryption Oracle

K1 K2

A0A1 A2

Initial Structure [SA09]

E1 E2

Sony Corporation

E3

Exchange key bits around start state

CPn

IS

Biclique technique [KRS12]

K1K1 K2 K2K1

K1 K2

A0A1 A2

2.MitM attack on Block Cipher having Simple KSF

Sony Corporation

- XTEA, LED, Piccolo (ACISP 2012, w/ K.Shibutani)- GOST (FSE 2011, JoC)

Simple Key Scheduling

Simple Key Scheduling = Bit (word) Permutation based

Used in many lightweight Block ciphers

GOST, XTEA, HIGHT, LED, Piccolo

Sony Corporation

8round

k1||…||k8

8round 8round 8roundP C

k1||…||k8 k1||…||k8k8||…||k1

reverse order

Ex : GOST block cipher

=>256 bit key is divided into eight 32 bit words s.t. k1||…||k8

It is relatively easy to evaluate of security against MitM,because we can focus on only data processing part

Target Ciphers

XTEA (64-bit block, 128 bit key) [NW97]

developed in 1997

Data processing part : Feistel

LED (64-bit block, 64-128 bit key) [GPPR11]

Proposed @ CHES2011

Data processing part : SPN (AES base)

Piccolo (64-bit block, 80/128 bit key) [SIHMAS11]

Proposed @ CHES2011

Data processing part : A variant of Generalized Feistel

Sony Corporation

All of them employ simple key scheduling Function

Piccolo: Overall Structure

Sony Corporation

Round Permutation

F

Round Permutation

F

F

F

plaintext

64

16

F F

...

64

ciphertext

Data processing part:

a variant of generalized Feistel network

2 3 1 11 2 3 11 1 2 33 1 1 2

S

S

S

S

M S

S

S

S

4

16

F-function

Keyless SPS-type F-function

#round : 25 (80-bit key), 31 (128-bit key)


Sony Corporation

Round Permutation

F

Round Permutation

F

F

F

plaintext

64

16

F F

...

64

ciphertext

Data processing part:

a variant of generalized Feistel network

8

64

64

Half-word based round permutation


Sony Corporation

Round Permutation

F

Round Permutation

F

F

F

plaintext

64

16

F F

...

64

ciphertext

key ={K0 | K1 | …| K6 | K7}

K0, K1

K2, K3

K4, K5

K2, K5

(|Ki| = 16-bit)

K7, K4

(128-bit key)

Key scheduling part:

“16-bit word Permutation”

Target variant of Piccolo-128

21 round reduced Piccolo-128 (round 2-22)

Sony Corporation

P C64

31-round Piccolo-128

Key

1 2 3 4 30 3122 23

P C64


Key

2 22

21 round Piccolo-128

Sony Corporation

P C64

K4

K5

K6

K7

K2

K1

K6

K7

K0

K3

K4

K5

K6

K1

K4

K5

K2

K7

K0

K3

K4

K1

K0

K3

K6

K5

K2

K7

K0

K1

K2

K7

K4

K3

K6

K5

K2

K1

K6

K5

K0

K7

P C64


2 22

Piccolo’s Key scheduling => word permutation

Attacking 21-round Piccolo-128

Sony Corporation

P C64

K4

K5

K6

K7

K2

K1

K6

K7

K0

K3

K4

K5

K6

K1

K4

K5

K2

K7

K0

K3

K4

K1

K0

K3

K6

K5

K2

K7

K0

K1

K2

K7

K4

K3

K6

K5

K2

K1

K6

K5

K0

K7

Spice and Cut technique

E1E2

E2

Construct two chunks E1 and E2 by using Spice and Cut technique


Sony Corporation

Construct two chunks E1 and E2 by using Spice and Cut techniqueNeutral word of E1 : K3

Neutral word of E2 : K6

P C64

K4

K5

K6

K7

K2

K1

K6

K7

K0

K3

K4

K5

K6

K1

K4

K5

K2

K7

K0

K3

K4

K1

K0

K3

K6

K5

K2

K7

K0

K1

K2

K7

K4

K3

K6

K5

K2

K1

K6

K5

K0

K7

K1 K2

A0A1 A2

A0 = K1∩K2 = K0, K1, K2, K4, K5, K7A1 = K1/(K1∩K2) = K3A2 = K2/(K1∩K2) = K6

|A0| = 112, |A1| = |A2| = 8

E1E2

E2


Sony Corporation

P C64

K4

K5

K6

K7

K2

K1

K6

K7

K0

K3

K4

K5

K6

K1

K4

K5

K2

K7

K0

K3

K4

K1

K0

K3

K6

K5

K2

K7

K0

K1

K2

K7

K4

K3

K6

K5

K2

K1

K6

K5

K0

K7

Initial structure(called Biclique)

Construct two chunks E1 and E2 by using Spice and Cut techniqueNeutral word of E1 : K3

Neutral word of E2 : K6

E1E2

E2

Initial Structure (biclique)

K3 and K6 are exchangeable/movable

These differential trails do not share nonlinear component (formally called Biclique)

Sony Corporation

k3

k6

k3

k6

Do not share nonlinear function


Sony Corporation

Neutral word of forward process : K3

Neutral word of backward process : K6

P C64

K4

K5

K6

K7

K2

K1

K6

K7

K0

K3

K4

K5

K6

K1

K4

K5

K2

K7

K0

K3

K4

K1

K0

K3

K6

K5

K2

K7

K0

K1

K2

K7

K4

K3

K6

K5

K2

K1

K6

K5

K0

K7

Partial matchingInitial structure(called Biclique)

K1 K2

A0A1 A2A1 = K3A2 = K6

E1E2

E2

Partial Matching

some key bits around the matching point can be omitted.

Sony Corporation

k6

k3

Matching

k6 do not affect matching state

k3 do not affect matching state


Sony Corporation

Neutral word of forward process : K3


P C64

K4

K5

K6

K7

K2

K1

K6

K7

K0

K3

K4

K5

K6

K1

K4

K5

K2

K7

K0

K3

K4

K1

K0

K3

K6

K5

K2

K7

K0

K1

K2

K7

K4

K3

K6

K5

K2

K1

K6

K5

K0

K7

Partial matchingInitial structure(called Biclique)

K1 K2

A0A1 A2A1 = K3A2 = K6

Evaluation

21-round Attack on Piccolo-128

time complexity : 2112 (28+28) + 2112 =2121

Data : 264 (code book)

memory 28

Sony Corporation

|A0| = 112, |A1| = |A2| = 8

2128-162128

1

Surviving Key

Space

Master KeySpace

MitMStage

Key TestingStage

Correct key

Complexity = 2|A0|(2|A1|+2|A2|) + (2l-b +2l-2b+…) Data = max ( 1 , l/b )

29-round XTEA Attack

round 11 to 39 (29 round )Neutral word of forward process : K0


Sony Corporation

Evaluation of 29-round Attack on XTEA-128

Time complexity : 2120 (24+24) + 2124 = 2124

Data : 245 KP

Memory 24|A0| = 120, |A1| = |A2| = 4

E2 E1 E2 CPn

PM

A1= lower 4 bits of K0

A0A1 A2

A2= lower 4 bits of K3A2= lower 4 bits of K3

A2 affect 45 bits of P

11 15 21 33 39

Partial matching

128 bit key = K0 ||..||K3

16 round LED-128 Attack

Sony Corporation

round 1 to 16 (16 round )

Evaluation of 16-round Attack on LED-128

Time complexity : 296 (216+216) + 296 = 2112

Data : 216 KP

Memory 216|A0| = 96, |A1| = |A2| = 16

A0A1 A2

4-round 4-round 4-round 4-roundP C

K1 K2K1 K2 K1

Matching throughMixcolumn [S’11]

A2= lower 16 bits of K2 A1= lower 16 bits of K1

A2 affect 16 bits of P

128 bit key = K1 ||K2

Results

Sony Corporation

Algorithm #Full round Type of Attack #attacked round Paper

XTEA 64

Meet-in-the-Middle 23 [SMWP11]

Impossible differential 23 [CWP12]

zero correlation Linear 27 [BW12]

Meet in the Middle 28 [SWS+12]

Meet in the Middle 29 Our

LED-64 32 Differential/Linear 8 [GPPR11]


LED-128 48 Differential/Linear 8 [GPPR11]


Piccolo-64 25 Differential/Linear 9 [SIH+11]


Piccolo-128 31 Differential/Linear 9 [SIH+11]


MitM attack on Block Cipher having Simple KSF

Update best attack of target ciphers

2.MitM attack on Block Cipher having Simple KSF

Sony Corporation

- XTEA, LED, Piccolo (ACISP 2012, w/ K.Shibutani)- GOST (FSE 2011, JoC)

GOST Bloch Cipher

Sony Corporation

GOST Block CipherSoviet Encryption Standard “GOST 28147-89”.

Standardized in 1989 as the Russian Encryption Standard.

Called Russian DES .

No Single key attack on Full round GOST until 2011.

Implementation AspectA. Poschmann et.al. show the 650-GE H/W implementation @CHES 2010

Considered as Ultra light weight Block cipher.

Structure of GOST

Round function

Round function

Round function

Round function

Swap

Plain text

Rk1

…

Rk2

Rk31

Rk32

Cipher text

Master key = K1||K2||…||K8

64

64

32

64

32-round Feistel Structure with 64-bit block and 256-bit key

256 bit 32 bit × 8

<<<11

S1

S2

S8

…

Rki

Sony Corporation

Key schedule : 32-bit word permutation

Application to Full GOST

8round

k1||…||k8


k1||…||k8 k1||…||k8k8||…||k1

reverse order

Sony Corporation

Reflection Property [KM07]

8round

k1||…||k8


k1||…||k8 k1||…||k8k8||…||k1

reverse order

GOST’s Reflection property was shown by Kara [K’08].- # of fixed points of last 16 round is 232

Probability Pref = 2-32 (>>2-64)

Sony Corporation

C

16 round

X1 X1

X232 X232… …

Reflection Skip

8round

k1||…||k8

8roundP C

k1||…||k8

Pref = 2-32

Reflection skip!

Sony Corporation

@Data collection stage: Collect 232 known plaintext/ciphertext pairs=> There is one pair in which reflection skip occur

C

R-MITM Stage

8round

k1||…||k8

8roundP C

k1||…||k8

4 round 4 round4 round 4 roundP C

k1||…||k4 k5||…||k8 k1||…||k4 k5||…||k8

Sony Corporation

For all 232 Plaintext/Ciphertext,we mount MitM approach, assuming that the reflection skip occurs.

MITM Stage


k1||…||k4 k5||…||k8 k1||…||k4 k5||…||k8

Sony Corporation

MITM Stage


k1||…||k4 k5||…||k8 k1||…||k4 k5||…||k8

K1 K2 K1 K2

2128 2128K1 K2

Sony Corporation

E1E2E1 E2

independent

MITM Stage


k1||…||k4 k5||…||k8 k1||…||k4 k5||…||k8

K1 K2 K1 K2

2128 2128K1 K2

Sony Corporation

In the straightforward method,It is difficult to mount the MITM attack.

Because there are 4 chunks.

Equivalent-key technique

Equivalent Keys

Sony Corporation

4 roundP

k1||…||k4

K1

X

Fix Fix

Define Equivalent keys used for our attack as“a set of keys that transforms P to X for 4-round unit”

Equivalent Keys

Sony Corporation

4 roundP

k1||…||k4

K1

X

k1F

k2F

k1 : Guess

k3F

k4F

k2 : Guess

k3 : Determine

k4 : Determine

Fix

32 bit

32 bit

32 bit

32 bit

Given the values of (fixed) P and X, It is easy to find such set.

Fix


Equivalent Keys

Sony Corporation

4 roundP

k1||…||k4

K1

X

k1F

k2F

k1 : Guess

k3F

k4F

k2 : Guess

k3 : Determine

k4 : Determine

Fix

32 bit

32 bit

32 bit

32 bit

For each (P, X) pair,there are 264 such equivalent keys

Fix


Given the values of (fixed) P and X, It is easy to find such set.

Equivalent Keys

Sony Corporation

4 roundP

k1||…||k4

K1

X

Categorize K1 into sets of equivalent keys depending on X,where P is fixed one value and X has 264 values

K1

Fix 264

a set of equivalent keysincluding 264 keys

264 sets of 264 keys(cover 2128 key space)

2128

Equivalent Keys


k1||…||k4 k5||…||k8 k1||…||k4 k5||…||k8

K1 K2 K1 K2

X

2128K1264

2128K2

Y

Sony Corporation

Effective MITM approachGuess values of X and Y.

Sony Corporation


k1||…||k4 k5||…||k8 k1||…||k4 k5||…||k8

K1 K2 K1 K2

X Y

2128K1264

2128K2

Effective MITM approachChoose two set from K1 and K2, which transform X and Y

Sony Corporation


k1||…||k4 k5||…||k8 k1||…||k4 k5||…||k8

K1 K2 K1 K2

X Y

2128K1264

2128K2

Effective MITM approach

Sony Corporation


k1||…||k4 k5||…||k8 k1||…||k4 k5||…||k8

K1 K2 K1 K2

X

2128K1264

2128K2

Y

Mount MITM approach in only intermediate 8 round.


Sony Corporation


k1||…||k4 k5||…||k8 k1||…||k4 k5||…||k8

K1 K2 K1 K2

X

2128K1264

2128K2

Y

MITM




k1||…||k4 k5||…||k8 k1||…||k4 k5||…||k8

K1 K2 K1 K2

X

2128K1264

2128K2

Y

Fix Fix

MITM

Repeat these steps with all values of X and Y(2128 (=264×264) times)

Sony Corporation


Evaluation

222422561

Surviving Key

Space

Master KeySpace

MITMStage

Key TestingStage

Correct key

Complexity = ( 2128(264+264) + (2256-32 +2256-64+…) )= 2225

Data = max ( 232 , 8 ) = 232

It is faster than brute force attack (2256)

Sony Corporation

232

Result

Key Setting

Type of Attack Round Complexity Data Paper

Single Key

Differential 13 - 251 (CP) [SK00]

Slide 24 263 264 − 218 (KP) [BDK07]

Slide 30 2254 264 − 218 (KP) [BDK07]

Reflection 30 2224 232 (KP) [K08]

Reflection-MITM 32 (Full) 2225 232 (KP) Ours

MitM attack 32(Full) 2192 264 (KP) [DDS12]

Sony Corporation

First Single Key Attack on GOST block cipher

Applicable to any S-box even including not bijective.[Joc ver.]

Several Improvements have been proposed so far.

3.MitM attack on Block Cipher having Complex KSF

Sony Corporation

- All Subkeys Recovery Attack on Block cipher(SAC 2012 w/ K. Shibutani)

MitM Attack on Block Cipher

Mainly Exploits low key dependency of KSF.

Work well for simple key scheduling. Recent Attacks : KTANATAN, GOST, XTEA, IDEA, LED, Piccolo

=> (permutation base KSF)

Complex KSF is difficult to analyze or evaluate Only AES attack (complicated and specific)

Our Questions

How do we evaluate block cipher having complex KSF against MitM attack?

How secure is complex KSF against MitM attack?

Sony Corporation

K1 K2

A0A1 A2

hard to find independent key bits….

Our Approach

Our Approach

Finding “all subkeys” instead “master key”

Sony Corporation

Extend MitM attack so that it can be applied to wider class of block cipher

Data Processing

master key

Sub key 2

Plaintext

Ciphertext

KSF

Sub key 1

Sub key X

Give a general method for evaluating MitM attack=> All Subkey Recovery (ASR) Attack

Assumption

All subkey are considered as independent variables

do not use any relation between subkey bits

Sony Corporation

subset1 subset2 subset X

independent sets

K1 K2

A0A1 A2

hard to find independent key bits….

All subkeys

• Search Space => increase : All subkey space (larger than master key)

•Easily mount MitM attack!! => All subkey bits are independent bits

master key

How to recover all subkeys

Meet in the Middle Approach

Sony Corporation

Plaintext

Ciphertext

subkey1

subkey2

subkey3

subkey4

subkey5

subkey R-4

subkey R-3

subkey R-2

subkey R-1

subkey R

l bits

All subkey : R・l bits ( > master key bits)-R is round number

- l is subkey bits per round

Assumption : All subkeys are independent variables

All subkeys = R・l bits

master key



Sony Corporation

S

Plaintext

Ciphertext

subkey1

subkey2

subkey3

subkey4

subkey5

subkey R-4

subkey R-3

subkey R-2

subkey R-1

subkey R

1. Choose s-bit matching state Sl bits

All subkey bits = R・l



Sony Corporation

S

Plaintext

Ciphertext

E1

E2

subkey1

subkey2

subkey3

subkey4

subkey5

subkey R-4

subkey R-3

subkey R-2

subkey R-1

subkey R

1. Choose s-bit matching state S

2. Construct sets of K1 and K2 such that

s = E1(K1, P) and s = E2(K2, C)

3. Compute s = E1(K1, P) with all K1

and Make Table of (s, K1) pairs

4. Compute s’ = E2(K2, C) with all K2

5. If s = s’, regard it as key candidate

# surviving key candidate : 2R・l – s

l bits

additionally use N plaintext

# surviving key candidate : 2R・l – N・s

K1

K2

K3

All subkey bits = R・l = |K(1)| + |K(2)| + |K(3)|

K1 K2

Parallel MitM

Parallel MitM attack

Given N Plaintext/Ciphertext

Sony Corporation

subkey2

K1

K2

P1 P2PN

C1 C2CN

E1 E1 E1

E2E2 E2

# surviving key candidate : 2R・l – N・s

s bit s bit s bit

Filter out wrong keys by using N matching state

Evaluation

Time complexity

max (2|K(1)|, 2|K(2)|)×N + 2R・l-N・s

Data

max (N, (R・l-N・s)/n ) KP

Memory

min(2|K(1)|,2|K(2)|)×N

used for matching

Sony Corporation

MitM filteringbrute force ofsurviving key

S

Plaintext

Ciphertext

E1

E2

subkey1

subkey2

subkey3

subkey4

subkey5

subkey R-4

subkey R-3

subkey R-2

subkey R-1

subkey R

l bits

K1

K2

K3

All subkey bits = R・l = |K(1)| + |K(2)| + |K(3)|

Example : 7-round CAST

Sony Corporation

7-round Balanced Feistel Network40 - 128-bit key, 64-bit block, 37-bit subkey per round

K1 F

F

F

F

F

F

F

K2

K3

K4

K5

K6

K7

Plaintext

Ciphertext

3764

128 bit key

KSF

s = F(1)(K1, K2, K3)

s = F(2)(K5, K6, K7)

|K(1)| = 111

|K(2)| = 111

|s| = 32

<6 parallel MitM>

Time complexity :

max (2|K(1)|, 2|K(2)|)×N + 2R・l-N・s = 2114

Data max (N, (R・l-N・s)/n ) KP = 6

Memory min(2|K(1)|,2|K(2)|)×N = 2114

master key40-128 bits

All subkeys = 259 bits

All subkeys = 259 bits

Example : 7-round CAST

Sony Corporation

7-round Balanced Feistel Network40 - 128-bit key, 64-bit block, 37-bit subkey per round

F

F

F

F

F

F

F

Plaintext

Ciphertext

3764

128 bit key

KSF

s = F(1)(K1, K2, K3)

s = F(2)(K5, K6, K7)

|K(1)| = 111

|K(2)| = 111

|s| = 32

N = 6

Time complexity :

max (2|K(1)|, 2|K(2)|)×N + 2R・l-N・s = 2114


Memory min(2|K(1)|,2|K(2)|)×N = 2114

RK1

RK2

RK3

RK4

RK5

RK6

RK7

For 7 round CAST-128 with key size > 110, ASR attack is more effective than brute force attack

All subkey = 259 bit

Previous Best attack : 6-round linear attack [M.Wang+09]

Key of ASR Attack

Complexity

max (2|K(1)|, 2|K(2)|)×N + 2R・l-N・s

=> dominated by |K(1)| and |K(2)|

Sony Corporation

Smaller |K(1)| and |K(2)| leads to more efficient attack

Point Finding the matching state S that can be computed by the smallest max(|K(1)|, |K(2)|)

SHACAL-2

Selected by NESSIE portfolio

block size : 256 bits, key size : <= 512 bits

Based on SHA-256 compression function

64-round GFN like construction

Current Attack : 32 round (Differential-linear)

[Y. Shin+04]

Sony Corporation

41-round Attack

Sony Corporation

|S | = 32

Plaintext

Ciphertext

F(2)

l bits

W0

W1

W2

A16

W15

W16

W22

W23

W40

F(1)

K(1)∈ {W0-W14, lower 4 bit of W15}

K(2)∈ {W26-W40, lower 4 bit of W23, W24, W25}

|K(1)| = 484

|K(2)| = 492

master key-< 512 bits

All subkeys =1184 bits

N = 244

Time complexity :

max (2|K(1)|, 2|K(2)|)×N + 2R・l-N・s = 2500


Memory min(2|K(1)|,2|K(2)|)×N = 2500

KATAN Family

Ultra lightweight block cipher (CHES 2010)

block size : 32/48/64 bits, key size : 80 bits

Based on Stream cipher Trivium

254 round LFSR-type construction

Best Attack 78/70/68 round on KATAN32/48/64

[K+10]

Sony Corporation

0 1 2 3 4 5 6 7 8 9 10 11 12

18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0

IR k2i

k2i+1

Round constant

Round key

Round key

XOR

AND

L1

L2

Attack Strategy

Point of Attack :

Finding the state S computed by the smallest max(|K(1)|, |K(2)|)

Sony Corporation

In order to find “good state”, we exhaustively observe the number of key bits involved in each state per round

Plaintext

N round

stateL1[0]-[12]

L2[0]-[18]

Attack Strategy

Point of Attack :


Sony Corporation


Plaintext

N round

stateL1[0]-[12]

L2[0]-[18]

0 1 2 3 4 5 6 7 8 9 10 11 12

108 104 102 100 98 98 96 94 92 88 86 84 84

0 1 2 3 4 5 6 7 8 9 10 11 12

104 102 100 98 100 93 92 90 88 90 87 85 83

L1

L2

13 14 15 16 17 18

77 75 75 75 74 68

After 63 round

Attack Strategy

Point of Attack :


Sony Corporation


Plaintext

N round

stateL1[0]-[12]

L2[0]-[18]

0 1 2 3 4 5 6 7 8 9 10 11 12

108 104 102 100 98 98 96 94 92 88 86 84 84

0 1 2 3 4 5 6 7 8 9 10 11 12

104 102 100 98 100 93 92 90 88 90 87 85 83

L1

L2

13 14 15 16 17 18

77 75 75 75 74 68

L2[18] can be computed by 68 bit of subkey and Plaintext

After 63 round

110 round Attack on KATAN32

Sony Corporation

Plaintext

63 round

47 round

Ciphertext

L2[18] |S | = 1

K(1)∈ {k0-k54, k56, k57, k58, K60-k64, k68, k71,k73,k77,k88 }

|K(1)| = 68

|K(2)| = 70

K(2)∈ {k126,k138,k142,k146,k148,k150,k153,k154,k156,k158,k160-k219}

N = 138

Time complexity :

max (2|K(1)|, 2|K(2)|)×N + 2R・l-N・s = 277.1


Memory min(2|K(1)|,2|K(2)|)×N = 275.1



Sony Corporation

Plaintext

58 round

42 round

Ciphertext

L2[18] |S | = 1

K(1)∈ {k0-k60, k62, k64, k65, k66, k69, k71, k72, k75, k79, k86}

|K(1)| = 71

|K(2)| = 71

K(2)∈ {k116,k122,k124,k128,k130,k132,k134,k135,k136,k138-k199}

N = 128

Time complexity :

max (2|K(1)|, 2|K(2)|)×N + 2R・l-N・s = 278


Memory min(2|K(1)|,2|K(2)|)×N = 278



Sony Corporation

Plaintext

54 round

40 round

Ciphertext

L2[18] |S| = 1

K(1)∈ {k0-k61,k63,k64,k65,k66,k68,k69,k71,k75,k82 }

|K(1)| = 71

|K(2)| = 71

K(2)∈ {k108,k110,k114,k116,k118,k120,k122,k124-k187}

N = 116

Time complexity :

max (2|K(1)|, 2|K(2)|)×N + 2R・l-N・s = 277.68


Memory min(2|K(1)|,2|K(2)|)×N = 277.68


Our Results

Sony Corporation

Algorithm #attacked round Time Memory Data reference

CAST-128 6 288.5 - 253.96 KP [MXC09]

7 2114 2114 6KP Our

SHACAL-2 32 2504.2 248.4 243.4CP [S+04]

41 2500 2492 244 KP Our

KATAN32 78 276 - 216 CP [KMN10]

110 277 275.1 138 KP Our

115 - - [AL12]

KATAN48 70 278 - 231 CP [KMN10]

100 278 278 128 KP Our

KATAN64 68 278 - 232 CP [KMN10]

94 277.68 277.68 116 KP Our

FOX128 5 2205.6 - 29 CP [WZF05]

5 2228 2228 14 KP Our

Blowfish* 16 2292 2260 9 KP Our

Blowfish-8R* 8 2160 2131 5 KP Our

We can update best attack w.r.t. #attacked round

* : Known F function setting# CAST, SHACAL, Blowfish support variable key length, our attacks are applicable to restricted parameter

Advantage and Limitation

Advantage

Our attack works any KSF even if Ideal function.

Generic and simple attack

Thanks to MitM attack w/o Spice and Cut,

Data complexity is very low.

Limitation

When Key size is smaller, ASR attack is less effective.

=> bound of attack complexity = key size (not all subkeys)

Huge memory requirement

Sony Corporation

Conclusion

Introduced several results w.r.t MitM attack of Block Cipher

MitM on Block cipher having simple KSF

XTEA, LED, Piccolo (@ ACISP 2012 w/ K. Shibutani)

GOST (@ FSE 2011 and JoC)

MitM on Block cipher having complex KSF

All subkeys recovery attack (@ SAC 2012 w/ K. Shibutani)

KATAN-32/48/64, SHACAL-2, CAST-128

Sony Corporation

Thank you for your attention

Sony Corporation

Reference[AS08] : K. Aoki and Y. Sasaki, “Preimage Attacks on One-Block MD4, 63-Step MD5 and More”, SAC 2008

[SA09] :Y. Sasaki and K. Aoki, “Finding Preimages in Full MD5 Faster Than Exhaustive Search”, EUROCRYPT2009

[GLRW10] : J. Guo, S. Ling, C. Rechberger and H. Wang, “Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2”, ASIACRYPT2010

[KK12] : S. Knellwolf and D. Khovratovich, “New Preimage Attacks against Reduced SHA-1”, CRYPTO2012

[KRS12] : D. Khovratovich and C. Rechberger and A. Savelieva, “Bicliques for Preimages: Attacks on Skein-512 and the SHA-2 family” FSE2012

[LIS12] : L, Ji, T. Isobe and K.Shibutani,”Converting Meet-in-the-Middle Preimage Attack into Pseudo Preimage : Application to SHA-2”, FSE2012,

[D’12] : : D. Khovratovich, “Bicliques for permutations: collision and preimage attacks in stronger settings”, ePrint2012/141

[BR09] : A. Bogdanov and C. Rechberger, “A 3-Subset Meet-in-the-Middle Attack: Cryptanalysis of the Lightweight Block Cipher KTANTAN”, SAC 2010

[I’11] : T. Isobe, “A Single Key Attack on the Full GOST Block Cipher”, FSE2011

[BKR11] : A. Bogdanov and D. Khovratovich and C. Rechberger, “Biclique Cryptanalysis of the Full AES”, ASIACRYPT2011

[KLR11] : D. Khovratovich, G.Leurent and C. Rechberger, “Narrow-Bicliques: Cryptanalysis of Full IDEA”, EUROCRYPT2011

Sony Corporation

Reference[IS12] : T. Isobe and K. Shibutani, “Security Analysis of the Lightweight Block Ciphers XTEA, LED and Piccolo” ACISP2012

[NW97] : R.M. Needham and D.J. Wheeler, “Tea Extentions”

[GPPR11] : J. Guo,T. Peyrin, A. Poschmann and M. J. B. Robshaw, “The LED Block Cipher” CHES2011

[SIHMAS11] : K. Shibutani, T. Isobe, H. Hiwatari, A. Mitsuda, T. Akishita and T. Shirai, “Piccolo: An Ultra-Lightweight Blockcipher”CHES2011

[BW12] : A. Bogdanov and M. Wang “Zero Correlation Linear Cryptanalysis with Reduced Data Complexity ” FSE2012

[SWS+] : Y. Sasaki, L. Wang, Y. Sakai, K. Sakiyama and K. Ohta, “Three-Subset Meet-in-the-Middle Attack on Reduced XTEA” Africacrypt2012

[SK00] : H. Seki and T. Kaneko, “Differential Cryptanalysis of Reduced Rounds of GOST”, SAC2000

[BDK07] : E. Biham and O. Dunkelman and N. Keller, “Improved Slide Attacks”, FSE2007

[KM07] : O. Kara and C. Manap, “A New Class of Weak Keys for Blowfish”, FSE2007

[K08] O.Kara, ”Reflection Cryptanalysis of Some Ciphers”, INDOCRYPT2008

[DDS] : I. Dinur, O. Dunkelman and A. Shamir, “Improved Attacks on Full GOST”, FSE2012

Sony Corporation

Reference

Sony Corporation

[MXC09] : M.Wang and X. Wang and C. Hu, “New Linear Cryptanalytic Results of Reduced-Round of CAST-128 and CAST-256”, SAC2009

[S+04] : Y.Shin, J. Kim, G. Kim, S. Hong and S. Lee, “Differential-Linear Type Attacks on Reduced Rounds of SHACAL-2”, ACISP2004

[SMN10] : S. Knellwolf, W. Meier and M. Naya-Plasencia, “Conditional Differential Cryptanalysis of NLFSR-based Cryptosystems” ASIACRYPT2010.

[WZF05] : W. Wu and W. Zhang and D. Feng, “Integral Cryptanalysis of Reduced FOX Block Cipher”, ICISC 2005

Documents

Recent Meet-in-the-Middle Attacks on Block Ciphersweb.spms.ntu.edu.sg/~ask/2012/slides_03_Takanori_Isobe.pdf · Background Meet-in-the-Middle（MitM）attack was proposed by Diffie